Cyber Resilience

CVE-2024-48286

HighPublic PoCRCE

Published: 21 November 2024

Published
21 November 2024
Modified
30 June 2025
KEV Added
Patch
CVSS Score v3.1 8.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.2897 96.7th percentile
Risk Priority 33 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-48286 is a high-severity Command Injection (CWE-77) vulnerability in Linksys E3000 Firmware. Its CVSS base score is 8.0 (High).

Operationally, ranked in the top 3.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2024-48286 is a command injection vulnerability in the Linksys E3000 router running firmware version 1.0.06.002_US, specifically within the diag_ping_start function. The flaw is tracked under CWE-77 and carries a CVSS 3.1 base score of 8.0, reflecting network attack vector, low attack complexity, and low privileges required.

An attacker who can reach the device's web interface can supply crafted input to the affected function, resulting in arbitrary command execution on the device. Successful exploitation grants the attacker the ability to read, modify, or delete data and fully compromise the router's confidentiality, integrity, and availability.

A publicly available proof-of-concept exploit has been published on GitHub. The current EPSS score of 0.2897 matches its recorded peak and does not indicate a post-disclosure rise in observed exploitation interest.

EU & UK References

Vulnerability details

Linksys E3000 1.0.06.002_US is vulnerable to command injection via the diag_ping_start function.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

linksys
e3000 firmware
1.0.06.002

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References